David Harley

David Harley

Senior Research Fellow

Education? Academic background in modern languages, social sciences, and computer science.

Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.

Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.

What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.

Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...

What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.

When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)

Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.

Articles by author

Facebook and 419s

...I know that Facebook has various countermeasures for dealing with the even more various types of fraud that Facebook users are subjected to. Does it really believe that those measures are so effective, no fraudulent message can ever get through?

Supertrojan Supersighs Me

Zeus-associated malware (and that includes SpyEye and "SpyZeuS") isn't supernaturally difficult to detect. It is, however, pretty adaptive and has introduced, from time to time, some innovative counter-detection techniques.

Added to Stuxnet resources page…

…an article by William Gibson (yes, that William Gibson) draws a connection between Brain (a 25-year-old PC virus) and Stuxnet. 25 Years of Digital Vandalism. He doesn't seem to think much of Stuxnet, drawing a much-to-the-point riposte from Bob McMillan:!/bobmcmillan/status/30533396702699520. Links added to Stuxnet Information and Resources (3). David Harley CITP FBCS CISSP ESET

AMTSO members meeting

The next AMTSO members meeting is getting pretty close… It's being held in San Mateo on the 10th and 11th February. More information, including the preliminary agenda, on the AMTSO meetings page. David Harley CITP FBCS CISSP ESET Senior Research Fellow

Phone Scams and Panic Attacks

...many scams work by panicking victims into taking some unwise action, whether it's parting with their credit card details or opening a malicious program, claiming that some problem or illegal action is associated with their computer or IP address, such as transmitting malware or visiting paedophile or other pornographic sites...

Stuxnet: the Never‑Ending Story

...The NYT article strikes me as being well-researched, well-written, and well worth reading, and the involvement of Dimona is more plausible than much of the speculation I've seen, but it's still hard to distinguish hard fact from sheer guesswork...

Stuxnet and Iran's New York Times article "Israel Tests on Worm Called Crucial in Iran Nuclear Delay" ... is a notable addition to the information and commentary on this aspect of the Stuxnet phenomenon...


My Russian colleague Aleksandr Matrosov reports that this week he received an interesting sample from forensic investigation specialists Group-IB. The threat in question is detected by ESET products as Win32/Sheldor.NAD, and coverage by other vendors is reasonable: see The interesting feature of this sample is that it uses the TeamViewer 5.0 standalone component to effect remote control of the

Added to Stuxnet resources page

Tony Dyhouse writes in SC Magazine about the political implications for the security community of the Stuxnet and Wikileaks incidents. The link has also been added to the Stuxnet resources post at /2011/01/03/stuxnet-information-and-resources/5731 on 14th January 2011.. David Harley CITP FBCS CISSP

Stuxnet Resources Update

Added to the resources blog at Report of a Stuxnet-unrelated vulnerability in SCADA software A speculative cyberwar link Some links on Iranian post-Stuxnet "cybermilitia" recruitment. David Harley CITP FBCS CISSP

Changes at ESET

This isn't really Threatblog fodder, but I'd like to take the opportunity to congratulate Richard Marko and Andrew Lee on their accession to ESET CEO superstardom. Richard has been appointed as global CEO of the ESET group, while Andrew has returned to ESET LLC as its CEO. It's good to know, though, that Miroslav Trnka

AMTSO, Testing and the Media

I’m in Washington right now, at the CSI conference. It won’t surprise regular readers to know I’m here to talk about testing anti-malware products (again!) So it may not surprise you to know also that I’m particularly interested to see an article [link no longer available – DH 2017] by Larry Seltzer that looks at the documents

AMTSO press release: approved Testing Guidelines

AMTSO, the Anti-Malware Testing Standards Organization, have just issue a press release [broken link removed 2017] about the guidelines documents just published on their web site after ratification by everyone present at the AMTSO meeting in Oxford at the end of October. You may have noticed that we’re quite optimistic about the beneficial future impact of

Election Malware and Social Engineering

The election may be over, but the bad guys are still milking it, and there are lessons to be learned. I guess there’s nothing that brings out the worst in human nature like an election. There were all those chain letters, rumours and hoaxes about how various candidates were undesirable, un-American, immoral etc.  Then there were

Giving (Samples) to Charity

Recently we noticed a thread in a forum associated with a free security product, originating in an open letter to a well-known tester, asking him to donate his sample set for the improvement of the product.

Asking for samples for testing

From time to time we are asked to provide samples or malicious URLs to individuals and groups who are not in the full-time testing business. We do, of course, share such material with other actors in the security industry who are within our web of trust, but are not usually able to honor requests from

Testing Internet Security Suites: More Questions than Answers…

…and for once we’re not one of the vendors getting hammered. Secunia, a Danish company that sends out security notifications, has announced that it has tested a dozen security suites. Interestingly, Secunia used a number of exploits developed in-house for analysing vulnerabilities rather than the sort of malware sample based testing that we’re more used

Phishers Don’t Care…

I don’t suppose you thought they did. But just to prove that scammers have no compunction about using people’s understandable fears about the current financial crisis as a means of stealing from them, here’s a short extract from a fairly typical example of a current wave of fraudulent emails. “Subject: New campaign against financial markets

Memetic Malware Part 36

Memetic malware, in case you haven’t heard me ranting on the subject before, is a pseudo-technical term applied by some to hoaxes, semi-hoaxes, urban legends and so on, especially when spread via email and other Internet services. The adjective memetic derives from the coining by Richard Dawkins of the noun meme, which he described in

A Shock to the System

When it comes to installation sizes, smaller is actually better, as long as essential features like detection aren’t compromised in order to reduce footprint, and we at ESET like to think that’s a trade-off we manage rather well. With all due respect to our colleagues and competitors at Symantec, their products, on the other hand,

Normal Service is Resumed…

As you may have noticed, we’ve been a little busy in the past few weeks, with major conferences and workshops in Estonia, Florida, and the Virus Bulletin conference in Ottawa. Unfortunately, we can’t tell you much about most of these: while some very important work on the mitigation of malware is done in and around

False positive

We’re quite proud of our record of low false positive rates, despite the occasional slip-up (all AV scanners have them: it’s an unfortunate fact of life, but we like to think that our usefulness in detecting real malware outweighs them in the long term). However, I’ve just been advised by our friends at Sophos (yes,

In Space, No‑one Can Hear You Scream “Virus!”

According to the Wired blog, non-critical laptops in the International Space Station were infected in July with malware: according to it was a (fairly old)password stealer that captures gaming credentials and spreads using autorun.inf (See? We told you these were problems!). also reckon that quite a few systems on the space station don’t carry

Testing Standards Revisited

ESET is very interested in and supportive of the Anti-Malware Testing Standards Organization (AMTSO), which aims to raise testing standards across the board and reduce the impact of misleading, poorly-conceived and -implemented comparative testing. Like many in the industry, we believe that benefits the end-user and the industry, and I’ve been heavily involved personally in

Myfotoos Live Messenger Worm

There is a worm which is aggressively broadcasting itself to Windows Live Messenger users, and possibly via social networking services (MySpace, Hi5, etc.). It’s known to affect users of MSN, AIM and Triton, and we have had several reports from people who were contacted by compromised hosts. When it infects a PC, the current version of the